[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Soln for Syn flooding

To: Bill Stackpole <bstackpole@orminc.com>
Subject: RE: Soln for Syn flooding
From: Dave Wreski <dave@nic.com>
Date: Wed, 04 Aug 1999 20:47:56 -0400 (EDT)
Cc: firewalls@lists.gnac.net

On 03-Aug-99 Bill Stackpole wrote:
> There are two approaches to dealing with SYN floods.  Support so many tcp
> connections that no one can send you enough open
> request to use them all.  The other is to adaptively reduce the time-out for
> SYN requests based on the number of available connections that remain.  In
> other words, I have 20 connections available and a 30 second timeout.  When
> I have only 8 conections available the timeout is reduced to 10.  Only 3,
> reduced to 5, etc.

What about half-open SYNs?  Our IDS is picking these up as a normal course of
daily activity, and I wondered if that is something that should filtered out. 
What exactly is a half-open SYN, what causes it, and can it safely be filtered
out when originating from internal machines?

Thanks,
Dave

-
[To unsubscribe, send mail to majordomo@lists.gnac.net with
"unsubscribe firewalls" in the body of the message.]

Prev by Date: RE: Time to break up: call for a plebiscite
Next by Date: Re: Solaris-on-Intel Firewalls
Prev by thread: Re: Soln for Syn flooding
Next by thread: RE: Soln for Syn flooding
Index(es):
- Date
- Thread